• fubo@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 years ago

    I’m not sure what the issue is here… Did you know that your ISP has a record of every website you’ve ever been to on a server you don’t control and they can look at it whenever they want?

    This is pretty much entirely incorrect.

    It is part of the purpose of HTTPS that your ISP does not have the URLs of pages you visited, nor the content of the data sent in either direction. That information is all encrypted from your browser to the web server and vice-versa.

    Encryption became standard in browsers in two waves: first, with the commercialization of the Web in the late 1990s and the need to encrypt financial credentials (e.g. credit card numbers) to do e-commerce; and second, after the Snowden NSA scandal that led to almost all non-commercial web sites adopting HTTPS as standard, followed by most browsers flagging unencrypted sites as “insecure”.

    Classically, your ISP would have the domain names (e.g. lemmy.world) as you’d usually be using your ISP’s DNS server; and even if you were using a remote DNS server the DNS traffic would be unencrypted through your ISP’s network.

    But these days, they might not even have the domain names, as DNS over HTTPS is used in many browsers today.

    Even today though — unless you’re using a VPN, Tor, or some other form of encrypted tunneling — your ISP can certainly discover the IP addresses of hosts you communicate with.

    • Red Wizard 🪄@lemmygrad.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 years ago

      Yes there is a distinction between webPAGE and webSITE. Which is why I used site and not page. I never said they have the URLs, that was you.

      I build and maintain networks for a living, so I know what the network operators do and do not have access to.

      As a user of any network, you should be walking around under the assumption that every network is hostile.

      Regardless, my point still stands. You should have no expectation of privacy when you don’t control the system your using. Especially these self hosted federated systems. Let alone a public webform where your sharing your thoughts and ideas and other PII.

      • Don’t use repeat usernames across services
      • Don’t include your full name
      • Don’t include your photo
      • Ditch your account periodically and make a new one
      • Maintain separate accounts for different interests, especially NSFW content.

      If you leave a trail of breadcrumbs, you will be found.

      Unless the DMs are encrypted using your own keys, your DMs are one SQL query away from being nightly reading material for any instance admin.

      That’s the leading privacy concern with these systems. You might think your DMs are private, but unless their encrypted, any DBA can read them. You better hope the Admins of your instance have no voyeuristic intentions.